Once in control, they can silently push new ad-filled "updates" to those users.

Share this story

One of the coolest things about Chrome is the silent, automatic updates that always ensure that users are always running the latest version. While Chrome itself is updated automatically by Google, that update process also includes Chrome's extensions, which are updated by the extension owners. This means that it's up to the user to decide if the owner of an extension is trustworthy or not, since you are basically giving them permission to push new code out to your browser whenever they feel like it.

To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome's update service, which sends the adware out to every user of that extension.

We ought to clarify here that Google isn't explicitly responsible for such unwanted adware, but vendors are exploiting Google's extension system to create a subpar—and possibly dangerous—browsing experience. Ars has contacted Google for comment, but we haven't heard back yet. We'll update this article if we do.

Update: Google got back to us, and stated that Chrome's extension policy is due to change in June 2014. The new policy will require extensions to serve a single purpose.

User reviews for Add to Feedly complaining about the adware.

A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the "Add to Feedly" extension. One morning, Agarwal got an e-mail offering "4 figures" for the sale of his Chrome extension. The extension was only about an hour's worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account. A month later, the new extension owners released their first (and so far only) update, which injected adware on all webpages and started redirecting links. Chrome's extension auto-update mechanism silently pushed out the update to all 30,000 Add to Feedly users, and the ad revenue likely started rolling in. While Agarwal had no idea what the buyer's intention was when the deal was made, he later learned that he ended up selling his users to the wolves. The buyer was not after the Chrome extension, they were just looking for an easy attack vector in the extension's user base.

This isn't a one-time event, either. About a month ago, I had a very simple Chrome extension called "Tweet This Page" suddenly transform into an ad-injecting machine and start hijacking Google searches. A quick search for the Chrome Web Store reveals several other extensions that reviewers say suddenly made a U-turn from useful extension to ad-injector. There is even an extension that purports to stop other extensions from injecting ads. Injected ads are allowed in Chrome extensions, but Google's policy states that which app the ads are coming from must be clearly disclosed to the user, and they cannot interfere with any native ads or the functionality of the website.

Enlarge/ Code from Tweet This Page, which hijacks Google, Yahoo, and Bing results and redirects to searchgist.com.

Ron Amadeo

When malicious apps don't follow Google's disclosure policy, diagnosing something like this is extremely difficult. When Tweet This Page started spewing ads and malware into my browser, the only initial sign was that ads on the Internet had suddenly become much more intrusive, and many auto-played sound. The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect. After a while, Google search became useless, because every link would redirect to some other webpage. My initial thought was to take an inventory of every program I had installed recently—I never suspected an update would bring in malware. I ran a ton of malware/virus scanners, and they all found nothing. I was only clued into the fact that Chrome was the culprit because the same thing started happening on my Chromebook—if I didn't notice that, the next step would have probably been a full wipe of my computer.

The difficult part of this for users is that normal removal techniques will not work. Virus scanners are unlikely to flag ad-injecting JavaScript as malicious. Extensions are synced to your Google account, which means that even wiping out a computer and reinstalling the OS will not remove the malware—signing-in to Chrome will just download it again. The only way to be rid of the malware is to find the extension in chrome://extensions and remove it—and to make sure the removal gets propagated to your account and down to all your other devices. Even when you have it narrowed down to Chrome, since nothing detects a malicious Chrome extension, the best course of action is to meticulously check the latest reviews of every extension and hope that someone else has figured out where the ads are coming from.

What can users do to protect themselves? It's very hard to keep yourself in the loop with Chrome extension updates. Extensions usually don't have changelogs, and there is currently no way to disable extension auto-updating. One way to stay a least slightly informed of what is going on is to install an extension that will notify you when your other extensions get updated. Other than that, the only other option is to stop using extensions entirely, which is a little extreme. Just keep an eye on the simpler extensions from smaller extension makers—those are the ones at most risk of being gobbled up by a malicious entity. Chrome will require your approval if an extension adds new permissions, but the magic permission that allows ad-injecting is called "access your data on all web pages," which many legitimate extensions already use. A malicious extension buyer could even look for an extension that already uses this permission so that their update will arouse the least suspicion among current users.

The reality, though, is that while it's extremely easy for a novice user to install an extension, it's nearly impossible for them to diagnose and remove an extension that has turned sour, and Chrome Sync will make sure that extension hangs around on all their devices for a long time. The author of Add to Feedly stated that his extension had around 30,000 users before it was sold and packed full of ads. Today, despite the flood of unhappy user reviews, the Chrome Web Store shows 31,548 users. Auto-updating from a trusted source is one thing, but when that user trust can be bought and sold—and extension ownership can change hands without the users being informed—something needs to be done.

Share this story

Ron Amadeo
Ron is the Reviews Editor at Ars Technica, where he specializes in Android OS and Google products. He is always on the hunt for a new gadget and loves to rip things apart to see how they work. Emailron@arstechnica.com//Twitter@RonAmadeo

180 Reader Comments

This is very sad. The biggest mouse gesture extension for Chrome, SmoothGestures, recently started injecting ads with no way to turn them off (short of a paypal extortion payment, but fuck that). Now there is no good ad-free mouse gestures extension.

Google should really ban ad injection, it doesn't help Chrome and it doesn't help the users.

Seems like the security situation is increasingly becoming a one step forward two steps back game. With so much money out there and so many ways to exploit both systems and users to get to their information, I think it'll be a long road to any really substantial long term security improvements.

This is exactly I don´t allow Chrome to auto update, I blocked the Google Updater which tries to connected at least 4 times a day and I assume more than just to check updates, but probably to call home to Google servers.

Read here that "auto updates" silently without a user consent is BAD. Its AMAZINGLY bad for users.

You don´t know what is updated, from who or where. If at least you where notified and you could have the option to approve an update, if the next day something does not work as expected at least you know or suspect it could be related to the latest updated that introduced a bug.

This is why companies hate auto updating software as well. How many times some update broke your whole flow or work because something very small was not.

Also, while you may trust Google do you trust every server for every software you use in your computer? Just read here in Ars or on the web how servers can and are compromised. You can have your system as safe as you want but if one of this software which is from a small or medium developer is calling home, and his server is ever gets compromised, you know what will happen, they are going to push malware to your system.

In this case they just exploited the silent updates on extensions, but there just allot of reasons why "silent" stuff is extremely dangerous from a user perspective. What is the point of having a secure browser if the extensions cannot be trusted.

This is very interesting. Since Google treats their ecosystem of extensions like an app store, perhaps they could start to impose android-like permissions on them. If that isn't feasible, perhaps they could allow users to tag extensions as malicious and warn users when extensions they have installed get tagged.

This is very interesting. Since Google treats their ecosystem of extensions like an app store, perhaps they could start to impose android-like permissions on them. If that isn't feasible, perhaps they could allow users to tag extensions as malicious and warn users when extensions they have installed get tagged.

They already do have permissions like that. It's just that most extensions need access to page content to be able to do anything useful.

One option might be to publicize when extensions are updated, and maybe when their ownership is transferred.

Or chrome could have an option to disable automatic extension updates. They could then do a sort of web-of-trust thing where people can upvote/downvote extension updates. People could then use the voting to help decide whether to upgrade or not.

It sounds like Google needs to flag ownership changes and NOTIFY USERS about them before the next auto-update of that extension.

------------NoteBuddy has been transferred from Joe Garage to Russian Mafia LLC. Do you want to keep this extension enabled? [ Da ] [ Nyet ]-----------

Yes, this would be at least be something but the problem is that Russian Mafia is going to appear as a valid legal user and customer. They are going to adapt. This are professional hackers and scammers. That will not work as easily. Maybe to require code signing would be better, the thing is that this just explains the case of an honest user that transfer his app to a rogue user, how about an honest users that becomes evil in time? Or how about evil users that appear to be honest for some time and they change their mind?

Can you really just trust your browser security blindly to everyone that publishes something in Chrome?

This is very sad. The biggest mouse gesture extension for Chrome, SmoothGestures, recently started injecting ads with no way to turn them off (short of a paypal extortion payment, but fuck that). Now there is no good ad-free mouse gestures extension.

Google should really ban ad injection, it doesn't help Chrome and it doesn't help the users.

I am a Chrome Extension author and have been surprised at the amount of people that have contacted me to inject advertisements. At least once per month, if not more.

Only one has offered to outright purchase the extension. Most of the offers are to add one small piece of javascript that injects ads in place of other advertisements on any page the user visits. Those have been offered to me at $0.50 per US-based user per month, which would be an insane amount of revenue from a personal side project, but really shady to do.

Even worse was an offer which would change the users new tab page to actually load an external site instead, full of ads. The user would be clueless as to why their new tab page looked different, since it has no relation to the extension. The only way they could find it would be systematically disabling their extensions until the new tab page looks normal again.

I find it stupid that people seem so angry about the NSA snooping while they routinely give away their privacy to these extension and smartphone app developers with little or no credibility. These guys know who you are, who your friends are, your online habit, your address, whether you're at home or out of town (valuable info for burglars), etc.

This is very interesting. Since Google treats their ecosystem of extensions like an app store, perhaps they could start to impose android-like permissions on them. If that isn't feasible, perhaps they could allow users to tag extensions as malicious and warn users when extensions they have installed get tagged.

There actually are permissions that must be requested by the extension as defined in it's manifest. These permissions must be verified by the user on installation, and if they are changed they must be re-approved by the user. However, some of those permissions are pretty broad allowing authors to inject ads without a change to permissions.

It's nearly impossible to get an ad-laden chrome addon removed. I actually managed to get a Chrome developer to review the addon that annoys me the most in a Hackernews thread (Smooth Gestures, lfkgmnnajiljnolcgolmmgnecgldgeld) and because the scummy addon's developer disclosed the ads the Googler said it followed Google's guidelines, even though the ads were injected into pages right alongside legit ads.

The fact of the matter is that Google's rules are super lax and largely non-enforced. They are not reviewed by a human at all initially! Chrome addons are the Wild West.

Mozilla does an infinitely better job. They do have a human reviewing addons, they don't allow adware or malware, and when they miss something (which of course does happen) they are responsive and take care of it when notified.

There are hundreds of extensions, at least, that have very comprehensive tracking code that will send back data to services that sell the data to other companies. These extensions, like CrxMouse, are literally spyware. Every single page you visit is sent back to their servers, which are actually sending the data to an API by similarweb, who uses that data to sell to other companies to get data on their competitors.

Many of these extensions hide this fact, or have the tracking code disabled at the moment, but it's buried in there like a time bomb. Just search for extensions by "wips.com" and open the source code. You'll find a javascript tracking file in there.

Other shady companies have been contacting every extension developer they can - I don't even have an extension, but because I'd written an article, they mistakenly contacted me about Bookmark Sentry, an extension that already contains ads.

Just for a quick list of add-ons that now have ads: Smooth Gestures, Bookmark Sentry, Neat Bookmarks, Add to Feedly, Mail Checker Plus, Send Using Gmail, Troll Emoticons, Yet another google bookmark extension, screen ruler... you get the picture, but there are a ton more.

This is very sad. The biggest mouse gesture extension for Chrome, SmoothGestures, recently started injecting ads with no way to turn them off (short of a paypal extortion payment, but fuck that). Now there is no good ad-free mouse gestures extension.

Google should really ban ad injection, it doesn't help Chrome and it doesn't help the users.

Google needs to take responsibility and quality control the extensions, full stop.

Google is the company who benefits from having an ecosystem extending their browser, it's their profit, and their duty to the customers. I've been an Opera guy for a long time, and now wouldn't even entertain Chrome until they take complete charge of absolutely ensuring my safety as a user.

Not exactly. We're asking them to block other companies' ads in their browser's addon store.

That isn't even the point at all. Extensions shouldn't be able to inject ads into third-party sites, period.

First, that web site owner didn't give permission for his/her site to be injected with nonsense ads that most users won't even realize aren't from the site owner.

Second, extensions should work the way any app store does. One "app" in the store shouldn't be able to mess with other apps.

But the biggest problem is that these extensions are injecting ads without the user having to accept a permissions dialog that says "This extension will inject ads all over the place".

Google is just assuming that all users will read the fine print in the description panel, which requires scrolling to the very bottom. That's their equivalent of the checkbox for installing the Ask Toolbar... reading the fine print.

That isn't even the point at all. Extensions shouldn't be able to inject ads into third-party sites, period.

Yes, and the only way to do that is to change their terms of service as this is explicitly permitted right now.

The _way_ they inject ads isn't permitted, where they replace existing ads, or are inserted alongside without being labeled as coming from the addon, etc. But google seemingly doesn't care about that.

I'm not sure how that permissions dialog would work technically. I guess they could allow ads but require that addon authors flag their addon as adware. But I'd prefer for them to just ban adware outright.

Maybe one simple solution is to deactivate extensions when ownership is transferred, notify the user, and let them make the decision of re-enabling or not (also turn off the auto-update function when ownership is transferred). Not perfect, but it can use an existing data point in the system to prevent automatic attacks.

That isn't even the point at all. Extensions shouldn't be able to inject ads into third-party sites, period.

Yes, and the only way to do that is to change their terms of service as this is explicitly permitted right now.

The _way_ they inject ads isn't permitted, where they replace existing ads, or are inserted alongside without being labeled as coming from the addon, etc. But google seemingly doesn't care about that.

I'm not sure how that permissions dialog would work technically. I guess they could allow ads but require that addon authors flag their addon as adware. But I'd prefer for them to just ban adware outright.

Banning outright would still require some form of human review of the extension. Extensions that mess with the DOM of pages can be useful, but without a person determining whether or not what the extension is doing to that page is injecting ads or something else malicious, there's no way to control it. When publishing an extension, there is a cute check box where a developer can state that the extension injects ads into third-party sites, but it's completely on your honor. I'm guessing many just ignore it and there are no repercussions from Google.

Allowing users to flag extensions that are malicious would definitely be a step in the right direction.

I blame users who can't be bothered to learn about the tech they use every day, day after day, for years on end, all in utter blissful ignorance.

Malware works. Spam works. That's the sad part. Some lowlife actually can extract money from users with malware. If there weren't any money in it, it would stop overnight. There will always be lowlifes. Always and forever. If one in a million people, there will be one. So the users need to get a clue and stop clicking on shit.

As true as that is, it also leaves us hoping that responsible companies will create safe and functional products that we can trust to not stealthily sell us out. Perhaps people had hoped Google would be trustworthy, and their highly popular browser, with sold-as-convenient extensions also trustworthy.

You can blame the users all you like, but there is a vast and legitimate market for well secured, trustworthy technology, for every good reason.

Banning outright would still require some form of human review of the extension. Extensions that mess with the DOM of pages can be useful, but without a person determining whether or not what the extension is doing to that page is injecting ads or something else malicious, there's no way to control it. When publishing an extension, there is a cute check box where a developer can state that the extension injects ads into third-party sites, but it's completely on your honor. I'm guessing many just ignore it and there are no repercussions from Google.

Allowing users to flag extensions that are malicious would definitely be a step in the right direction.

You can already flag extensions, not that it'll do you any good.

What many of you people don't seem to understand is this-- google EXPLICITLY allows adware addons. They need to change that terms of service. They need to be banned. Once that happens, people flag an addon as malicious/adware, and they remove it.

Banning outright would still require some form of human review of the extension. Extensions that mess with the DOM of pages can be useful, but without a person determining whether or not what the extension is doing to that page is injecting ads or something else malicious, there's no way to control it. When publishing an extension, there is a cute check box where a developer can state that the extension injects ads into third-party sites, but it's completely on your honor. I'm guessing many just ignore it and there are no repercussions from Google.

Allowing users to flag extensions that are malicious would definitely be a step in the right direction.

You can already flag extensions, not that it'll do you any good.

What many of you people don't seem to understand is this-- google EXPLICITLY allows adware addons. They need to change that terms of service. They need to be banned. Once that happens, people flag an addon as malicious/adware, and they remove it.

You are correct. I didn't see the "Report Abuse" button they have. I agree with your point, and it does seem strange that it's allowed to happen.

Something I find interesting is that Google Adsense terms of use explicitly states you cannot use it within a Chrome Extension. Definitely mixed messages here. So Google is fine with a developer injecting ads, as long as they aren't Google Ads.

Imagine if they hadn't been obnoxious about injecting noisy ads into every page. How about they silently download ads into a hidden part of every page? That's easy enough to do with an extension. How about keylogging your interaction with your banking site and uploading that? Depending on what permissions the extension was granted when it was first installed it's not out-of-bounds.

Last time I checked extensions are hosted on their servers and they are pushing them.Pretty sure they could be held responsible...

Not really. There are protections put in place that prevent sites with user-generated content from being held liable for the content their users upload.

As long as they remove illegal content in a timely and good-faith manner they're in the clear. (And in this scenario, it's not clear that the adware-uploaders are breaking any laws or ToS with their actions)

This has been a problem for a couple years now and has gotten worse with Chrome's increased popularity and unscrupulous extension developers becoming aware of the opportunity.The first big example of this I heard of was the extension "Awesome Screenshot" injecting ads back in 2011.

This issue exists where two goals of the Chrome team meet, and create an unintended consequence:1. Ask very little of the user. This manifests in Chrome's mostly sensible defaults and lack of configuration options.2. Keep the browser fast, secure, and standards compliant. Implying regular updates.

So how do you keep the browser and extensions continually updated without constantly harassing the user ala Acrobat/Java/WindowsUpdate? The option the Chrome team has chosen is to do frequent silent updates in the background.

This may not be a problem for Chrome itself if you trust the Chrome developers and expect some accountability if they were to do something nefarious. With respect to extensions the developers are often unknown, there is almost no accountability, and even if an extension is vetted this untrusted 3rd party can push down totally different code 5 minutes after you install the extension and you can't stop it.

Personally, I think Firefox has a better approach in this instance. You can set extensions to update all automatically, update all when initiated by the user, or update individual extensions on demand. However this goes against the "minimal configurability" ethos of Chrome so I don't know if it will change unless there is outside pressure.

If you would like to do things guerrilla-style and simply break the update mechanism for a particular Chrome extension here you go:1. (tools) > (extensions) > (developer mode): filled2. Make a note of the “id” and version number of the extension you want to disable updates for, then close Chrome.3. Navigate to the chrome “preferences” file and open it with a text editor, for example with Linux/Chromium it might be:/home/<your username>/.config/chromium/Default/Preferenceswith Windows/Chrome it might be:C:\Users\<your username>\AppData\Local\Google\Chrome\User Data\Default\Preferences4. Search this file for the “id” you made a note of earlier, it may appear multiple times. Near one of the occurrences of this id you will see a line just above it that says “update_url” with an address it checks for new versions.5. Change the update_url variable to a placeholder address that will not resolve, for example you might change “http://clients2.google.com/service/update2/crx” to “http://localhost/crx”6. Save changes and close the preferences file.7. Run browser.